Shedding New Light on Network Behavior via DNS Query Analysis

Paul Barford
University of Wisconsin-Madison
Computer Science

The Domain Name System (DNS) is a one of the most important and widely used services in the Internet. In addition to translating hostnames into IP addresses for applications, DNS is now being used in a number of other ways including content distribution, blacklisting services for spam checking and covert channels for malicious traffic. In this talk, we will describe these overloaded applications, and consider the question of how DNS traffic monitoring can provide an important and useful perspective on network traffic in an enterprise. We will describe a number of methods for using DNS information to gain a broader perspective including a new context-aware clustering methodology that is applied to DNS query-response traces to generate desired aggregates. This method enables the analysis to be scaled to expose the desired level of detail of each traffic type, and to expose their time varying characteristics. We implement our method in a tool we call TreeTop, which can be used to analyze and visualize DNS traffic in real-time. We demonstrate the capabilities and utility of TreeTop using a set of DNS traces that we collected over a four month period on our campus network. Our evaluation highlights both the coarse and fine level of detail on network behavior that can be exposed by our method.

Back to Workshop I: Multiscale Representation, Analysis and Modeling of Internet Data and Measurements